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VIRTUAL PRIVATE NETWORK SELECTION 

The present invention relates generally to virtual private networks, and 
5 more particularly to a method and system for selectively connecting a remote 
data terminal to one or more virtual private networks using a customised client 
or a web browser. 

A virtual private network (VPN) is a private data network that is 
formed within and makes use of a larger public telecommunication network, 

10 such as the Internet, or a larger private telecommunications network. Use of a 
VPN provides companies with the same capabilities as a system of owned and 
leased telecommunication lines and exchanges, but at a much lower cost by 
using the shared public infrastructure rather than a private one. Privacy is 
maintained in a VPN through use of a tunnelling protocol, by which data is 

15 encrypted before it is sent through the public network and decrypted at the 
receiving end. An additional level of security involves encrypting not only the 
data but also the originating and receiving network addresses. VPNs therefore 
make it possible to have the same secure sharing of public resources. 
Companies today are looking at using VPNs for both Extranets and wide-area 

20 Intranets. 

It is envisaged that various services requiring the transport of video, 
audio or data information between nodes within a VPN will be offered in the 
near future. Examples of such services include financial and banking services, 
as well as traditional telephony services. The proliferation of VPN-based 

25 services will* no doubt result in individual users subscribing to and using 
several such services. 

It would therefore be desirable to provide a method and system for 
facilitating the access of users to VPNs offering such services. 
With that in mind, one aspect of the present invention provides a method for 

30 selectively connecting a data terminal to one of a plurality of VPNs, said 
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VPNs being formed within a telecommunication network, the method 
including the steps of: 

(a) storing in a first data storage computer (i) user identity information 
indicative of the identity of authorized users to one or more of said VPNs and 

5 (ii) VPN authorisation information indicative of those VPNs that each 
authorized user is authorized to use; 

(b) connecting said data terminal to the telecommunication network; 

(c) sending a user identifier indicative of a selected one of said authorized 
users to said first data storage computer; 

10 (d) retrieving a list of VPNs accessible by the selected authorized user 
from the first data storage computer; 

(e) presenting said list of VPNs at said data terminal; 

(f) accepting the selection at said data terminal of one of said virtual 
private networks; 

15 (g) authenticating the identity of said selected authorized user; and 

(h) if step (g) is successful, connecting said data terminal to the selected 
VPN. 

The telecommunication network may be a public telecommunications 
network, such as the Internet. The data terminal may be connected at step (b) 

20 to the Internet with a public IP address. Alternatively, the data terminal may 
be connected at step (b) to a private telecommunications network, with the 
data terminal being connected with a private IP address. In both cases the IP 
address of the data terminal may be changed, at step (h), to an IP address with 
access to the selected VPN. 

25 The connection of the data terminal to the public telecommunication 

network may be carried out in step (a) by a Remote Access Server. 

The user identifier may be sent from the data terminal to the first data 
storage computer in step (b) via a Web Server. 

A Web Browser may be installed in the Data Terminal to enable the 

30 entry and sending of said user identifier. 
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The list of VPNs retrieved from the first data storage computer in step 
(c) may be transmitted to the Data Terminal by the Web Server. 

The list of VPNs may be displayed at the Data Terminal by the Web 
Browser. 

5 The authenticating of the identity of the selected authorized user in step 

(g) may be performed by a RADIUS/LDAP client in conjunction with a 
RADIUS/LDAP server, said RADIUS/LDAP server storing user 
authentication information. 

The first data storage computer acts as said RADIUS/LDAP server. 

10 Alternatively, a second data storage computer may be remotely 

connectable to said RADIUS/LDAP client, said second data storage computer 
acting as said RADIUS/LDAP server. The second data storage computer may 
connectable to said RADIUS/LDAP client via the Internet. 

In another embodiment, the second data storage computer may be 

15 connectable to said RADIUS/LDAP client, said second data storage computer 
acting as said RADIUS/LDAP server, both second data storage computer and 
said RADIUS/LDAP client being remotely connectable to said Remote 
Access Server. The RADIUS/LDAP client may be connectable to said 
Remote Access Server via the Internet. 

20 Another aspect of the invention provides a system for selectively 

connecting a data terminal to one of a plurality of VPNs, said VPNs being 
formed within a telecommunication network, the system comprising: 
a first data storage computer for storing (i) user identity information indicative 
of the identity of authorized users to one or more of said VPNs and (ii) VPN 

25 authorisation- information indicative of those VPNs that each authorized user 
is authorized to use, 

connection means for connecting said data terminal to the telecommunication 
network; 

retrieval means for sending a user identifier indicative of a selected authorized 
30 user to said first data storage computer and retrieving a list of VPNs 
accessible by the selected authorized user from the first data storage computer, 
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said data terminal including 

display means for presenting said list of VPNs, and 

selection means for accepting the selection at said data terminal of one of said 
virtual private networks, the system further comprising 
5 authenticating means for authenticating the identity of said selected authorized 
user, 

said connection means acting to connect said data terminal to the selected 
VPN if the authentication is successful. 

The following description refers in more detail to the various features 

10 of the invention. To facilitate an understanding of the invention, reference is 
made in the description to the accompanying drawings where various 
embodiments of the method and system for selectively connecting a remote 
data terminal to one or more virtual private networks are illustrated. It is to be 
understood, however, that the invention is not limited to the preferred 

1 5 embodiments as illustrated in the drawings. 
In the drawings: 

Figures 1 to 5 are schematic block diagrams illustrating a first 
embodiment of a system for selectively connecting a remote terminal to one of 
a plurality of VPNs, and the flow of information between various elements of 
20 that system during operation; 

Figures 6 and 7 are schematic block diagrams illustrating a second 
embodiment of a system for selectively connecting a remote terminal to one of 

a plurality of VPNs; 

Figure 8 is a schematic block diagram illustrating a third embodiment 
25 of a system for selectively connecting a remote terminal to one of a plurality 
of VPNs; and 

Figures 9 to 1 1 are representations of graphical displays provided to the 
user of the data terminal of the systems of Figures 1 to 8 during operation. 

Referring now to Figures 1 to 5, there is shown generally a system 1 
30 for selectively connecting a data terminal 2 to one of a plurality of virtual 
private networks (VPNs). The data terminal 2 may consist of a personal 
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computer and modem to enable connection of the personal computer to the 
public telephony network. The system 1 includes a Data File Server 3, a Web 
Server 4, a Remote Authentication Dial-In User Service (RADIUS) 
communications device 5 and a Remote Access Server (RAS) 6. The File 

5 Server 3 includes a Data Storage Computer 7. 

The RAS 6 is deployed at a local telephony exchange in which the data 
terminal 2's virtual circuits aggregates into, and manages the Internet access 
for the data terminal 2 and other data terminals and devices connecting to the 
Internet via that telephony exchange. Examples of RAS's that are suitable for 

10 use with the present invention are the Redback™ Subscriber Management 
System 1000 and the Alcatel™ Data Application Network Adapter (DANA). 

The Web Server 4 provides World Wide Web services on the Internet 
to the data terminal 2 and other terminals and devices connected to the 
Internet. It may include hardware, an operating system, Web server software, 

1 5 TCP/IP protocols and Web site content (Web pages). Alternatively, the Web 
Server 4 may simply comprise software installed on a host computer that 
performs these services. The software acts to accepts requests from a Web 
browser installed in the data terminal 2 to download HTML pages and images, 
and also to execute related server-side scripts that automate functions such the 

20 searching of the LDAP data storage computer. An example of this latter type 
of Web Server is the Microsoft™ Internet Information Server. A mini-Web 
browser suitable for installation on the data terminal 2 which can adapted to 
implement the required functionality may be readily developed by a skilled 
person in the computing/telecommunications field. 

25 RADIUS is a proposed Internet Engineering Task Force (IETF) 

standard and uses a client/server protocol and software to enable remote 
access servers, such as the RAS 6, to communicate with a central server, such 
as the Data Storage Computer 7, so as to authenticate the identity of dial-in 
users and authorize their access to a requested service or system. All user 

30 authentication and network service access information is located on the Data 
Storage Computer 7, which acts as the RADIUS/LDAP server. The RADIUS 



WO 01/41392 PCT/SGOO/00192 

6 

communications device 5 (RADIUS client) and sends authentication requests 
to the Data Storage Computer 7 (RAD1US/LDAP server) and acts on 
responses sent back by the server. One example of a RADIUS 
communications device 5 suitable for use with the present invention is the 

5 Alcatel™ Service Management Centre (SMC). 

The Data Storage Computer 7 acts to store and retrieve user 
information and authorisation information. The Data Storage Computer 7 may 
operate in accordance with the Lightweight Directory Access Protocol 
(LDAP), a client-server protocol developed for accessing directory service 

10 information. One example of a Data Storage Computer 7 suitable for use with 
the present invention is the Microsoft™ Commercial Internet System (MCIS) 
with a LDAP server. MCIS has been developed for use by Commercial 
Service Providers (CSPs), such as Internet and on-line service providers, and 
includes an LDAP data storage computer. 

15 The operation of the system 1 will now be described. Initially, VPN 

identification information indicative of several VPNs to which users- may 
subscribe or otherwise be provided with access to is stored in the Data Storage 
Computer 7. In addition, user identity information indicative of the identity of 
users who are authorized to access one or more of those VPNs, and VPN 

20 authorisation information indicative of those VPNs which each user is 
authorized to access is stored in the Data Storage Computer 7. The Data 
Storage Computer 7 may also store user authentication information, such as a 
user name and a user password, for each authorised user to enable 
authentication of the identity of that user. At least some of the data stored in 

25 the Data Storage Computer 7 may be common to both the user identity 
information and the user authentication information. 

When power is provided to the Data Terminal 2, an installed dialer 
program is run to cause the Data Terminal's modem to dial the RAS 6 over a 
Permanent Virtual Circuit, such encapsulating an Ethernet or a PPP 

30 connection, to be established between the Data Terminal 2 and the RAS 6. 
Once the dialer program has been run, an IP address is assigned to the Data 
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Terminal 2 by the RAS 6 (step si), effectively connecting the Data Terminal 2 
to the public telecommunication network, and a Hyper Text Mark-up 
Language (HTML) page is retrieved from the Web Server 4 (step s2). 

The HTML page is displayed to the user by the mini-Browser installed 

5 at the Data Terminal 2 (step s3). An example of such an HTML page is shown 
in Figure 9. The HMTL page includes a field 10 for the entry of a user's name 
(step s4) or other user identifier to identify the user to the RAS 6 or to the 
Web Server 4 accessed by the RAS 6. Optionally, a cookie may be set in the 
Data Terminal 42 so that the Web Server 4 is able to provide the HTML page 

10 for display by the mini-Browser with an expected user name inserted in the 
field 10. The HTML page may contain an ActiveX object that logs the user 
out of any previous VPN to which the Data Terminal 2 is connected. If 
ActiveX is not supported by the mini-Browser platform, the HTML page may 
display a text message to the user instructing the user to log out of any current 

15 VPN. 

Once the user name is sent to the RAS 6 or the Web Server 4 (step s5), 
or alternatively, once the cookie containing the user's name is submitted, the 
Web Server 4 sends a query (step s6) to the Data Storage Computer 7 to 
retrieve from the stored user information and VPN authorisation information a 

20 list of those VPNs accessible to the identified user. The list of accessible 
VPNs is transmitted to the Web Server 4 (step s7). 

The Web Server 4 then dynamically creates a customized HTML page 
containing the list of VPNs accessible to the user, and transmits this HTML 
page to the RAS 6 and onto the Data Terminal 2 (step s8). This HTML page is 

25 displayed by the mini-Browser installed in the Data Terminal 2 (step s9). An 
example of such an HTML page is shown in Figure 10. The list of accessible 
VPNs is displayed on this page as a series of icons 20 to 24, each of which 
corresponds to a different one of the VPNs accessible to the identified user. 
The VPN that the user wishes to use is then selected by using a mouse 

30 associated with the personal computer of the Data Terminal to position a 
cursor 25 over the icon corresponding to the selected VPN (step si 0). 
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Upon selection of the desired VPN, the mini-Browser acts to display a 
further HTML page to the user (step sll). The HTML page, an example of 
which is shown in Figure 11, includes a field 30 for the entry of a user 
password (step 12). The user name, the selected VPN and the entered 

5 password are then submitted to the RAS 6 (step si 3), and forwarded to the 
RADIUS communications device 5 (step 14). An attempt is then made to 
authenticate the identity of the user and whether or not the selected VPN is 
accessible to that user through a series of communications between the 
RADIUS/LDAP communications device 5 - acting as RADIUS client - and 

10 the Data Storage Computer 7 - acting as RADIUS/LDAP server - during 
which the user name, selected VPN and password are compared to the user 
authentication information stored in the Data Storage Computer 7 (step si 5). 

If the user's identity and access to the selected VPN are authenticated, 
an authentication message is sent to the RADIUS/LDAP Communications 

15 device 5 (step si 6) and forwarded to the RAS 6 (step si 7). The RAS 6 then 
changes the IP address of the Data Terminal 2 to an IP address with access to 
the selected VPN (step si 8) and displays a "User Connected" message to the 
user via the mini-Browser. The mini-Browser can then be minimized until the 
user wishes to change VPN or disconnect. 

20 If the user reactivates the dialer program installed in the Data Terminal 

2, the user is automatically disconnected from the current VPN and presented 
with the VPN Service Selection page shown in Figure 10. The user may also 
be disconnected if the RAS 6 detects zero or a very low level of network 
activity by the user. 

25 The RADIUS/LDAP Communication device 5 may also collect 

accounting data, such as the user name, login time, logout time and VPN used. 

For each scenarios described, the presentation of a login web page, 
such as that shown in Figure 10, may not be bypassable. That is to say, a 
client cannot gain access to any of the VPNs 20 to 24 without first obtaining a 

30 page presenting the choices of subscribed VPNs. Moreover, on successful 
connection to one of the VPNs 20 to 24, the user may be presented with a 
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VPN-specific welcome page which also may not be bypassable. The control 
of the VPN-specific welcome page may be provided by the remote access 
server (RAS) 6, the RADIUS communication device 5, or the Data Storage 
Computer 7 

5 There will now be described a first variant of the system 1 . In Figures 6 

and 7, there is shown generally a system 40 for selectively connecting a data 
terminal 2 to one of a plurality of virtual private networks (VPNs), which 
includes the Data Storage Computer 7, Web Server 4, RADIUS/LDAP 
communications device 5 and a RAS 6 of Figures 1 to 5. In the system 40, 

10 however, user authentication is partially handled at a remote location from the 
RAS 6. In that regard, the system 40 includes a ftirther Data Storage 
Computer 41, acting as a remote RADIUS server, which is correctable to the 
RADIUS/LDAP communications device 5 by a telecommunications network 
42, such as the Internet. The remote RADIUS server 41 stores the user 

15 authentication information, whilst the RADIUS/LDAP communications 
device 5 acts here as a RADIUS proxy and forwards data packets for 
processing to the remote RADIUS server 41. 

In operation, steps si to sl4 are carried out in the same manner as 
described in relation to Figures 1 to 5. However, once the user name, selected 

20 VPN and password have been forwarded to the RADIUS/LDAP 
communications device 5 at step sl4, a data packet containing this 
information is sent to remote RADIUS server 41 and the identity of the user 
authenticated (step sl5')- 

If the user's identity and access to the selected VPN are authenticated, 

25 a data packet containing an authentication message is sent to the 
RADIUS/LDAP Communications device 5 (step si 6'). Thereafter, the system 
40 operates in accordance with steps sl7 and si 8 as described previously. 

Figure 8 illustrates a second variant of the system 1 . In this Figure, 
there is shown a system 50 for selectively connecting a data terminal 2 to one 

30 of a plurality of virtual private networks (VPNs), which again includes the 
Data Storage Computer 7, Web Server 4, RADIUS/LDAP communications 
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device 5 and a RAS 6 of Figures 1 to 5. In this case, however, a Remote 
Access Server which is also a RADIUS client device 51 and another Data 
Storage Computer 52 remotely connected to the RAS 6 by a 
telecommunications network, such as the Internet, are also provided. The Data 
5 Storage Computer 52, which may be a RADIUS server, stores the user 
authentication information and together with the external RADIUS client 
device 5 1 acts to entirely handle user authentication at a remote location from 
the RAS 6. 

The system 50 operates in accordance with steps si to sl3 as described 
10 in relation to Figures 1 to 5. However, in this case once the user name, 
selected VPN and password have been forwarded to the RAS 6 at step si 3, the 
RAS 6 merely forwards an entire Point-to-Point Protocol (PPP) packet 
containing the user name, selected VPN and password over a secure tunneling 
protocol - such as Layer 2 Tunneling Protocol (L2TP) - to the RADIUS client 

15 device 51 (step sl4"). 

An attempt is then made to authenticate the identity of the user and 
whether or not the selected VPN is accessible to that user through a series of 
communications between the RADIUS client device 51 and the Data Storage 
server 52 during which the user name, selected VPN and password are 

20 compared to the user authentication information stored in the server 52. 

If the user's identity and access to the selected VPN are authenticated, 
a PPP packet containing the IP address to the selected VPN is sent to Data 
Terminal 2 (step si 5"). Thereafter, the system 50 operates in accordance with 
step si 8 as described previously. 

25 Finally, it is to be understood that various modifications and/or 

additions may be made to the above-described method and system without 
departing from the ambit of the present invention as defined in the claims 
appended hereto. 
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The claims defining the invention are as follows: 

5 1. A method for selectively connecting a data terminal to one of a 
plurality of VPNs, said VPNs being formed within a telecommunication 
network, the method including the steps of: 

(a) storing in a first data storage computer (i) user identity information 
indicative of the identity of authorized users to one or more of said VPNs and 

10 (ii) VPN authorisation information indicative of those VPNs that each 
authorized user is authorized to use; 

(b) connecting said data terminal to the telecommunication network; 

(c) sending a user identifier indicative of a selected one of said authorized 
users to said first data storage computer; 

15 (d) retrieving a list of VPNs accessible by the selected authorized user 
from the first data storage computer; 

(e) presenting said list of VPNs at said data terminal; 

(f) accepting the selection at said data terminal of one of said virtual 
private networks; 

20 (g) authenticating the identity of said selected authorized user; and 

(h) if step (g) is successful, connecting said data terminal to the selected 
VPN. 

2. A method according to claim 1 , wherein 

25 said telecommunication network is a public telecommunications network, 
such as the Internet. 

3 . A method according to claim 2, wherein 

at step (b), the data terminal is connected to the public telecommunications 
30 network with a public IP address; and 
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at step (h), the IP address of the data terminal is changed to an IP address with 
access to the selected VPN. 



4. A method according to claim 1, wherein 

5 said telecommunication network is a private telecommunications network. 

5. A method according to claim 4, wherein 

at step (b), the data terminal is connected to the private telecommunications 
network with a private IP address; and 
10 at step (h), the IP address of the data terminal is changed to an IP address with 
access to the selected VPN. 

6. A method according to any one of the preceding claims, wherein 

the connection of the data terminal to the public telecommunication network 
1 5 is carried out in step (a) by a Remote Access Server. 

7. A method according to any one of the preceding claims, wherein 

the user identifier is sent from the data terminal to the first data storage 
computer in step (b) via a Web Server. 

20 

8. A method according to claim 7, wherein 

a Web Browser is installed in the Data Terminal to enable the entry and 
sending of said user identifier. 

25 9. A method according to either of claims 7 or 8, wherein 

the list of VPNs retrieved from the first data storage computer in step (c) are 
transmitted to the Data Terminal by the Web Server. 

10. A method according to claim 9, wherein 
30 the list of VPNs are displayed at the Data Terminal by the Web Browser or 
customised client. 
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11. A method according to any one of the preceding claims, wherein 

the authenticating of the identity of the selected authorized user in step (g) is 
performed by a RADIUS/LDAP client in conjunction with a RADIUS/LDAP 
5 server, said RADIUS/LDAP server storing user authentication information. 

12. A method according to claim 10, wherein said first data storage 
computer acts as said RADIUS/LDAP server. 

10 13. A method according to claim 11, wherein a second data storage 
computer is remotely connectable to said RADIUS/LDAP client, said second 
data storage computer acting as said RADIUS/LDAP server. 

14. A method according to claim 13, wherein said second data storage 
1 5 computer is connectable to said RADIUS/LDAP client via the Internet. 

15. A method according to claim 11 when dependant upon claim 6, 
wherein a second data storage computer is connectable to said 
RADIUS/LDAP client, said second data storage computer acting as said 

20 RADIUS/LDAP server, both second data storage computer and said 
RADIUS/LDAP client being remotely connectable to said Remote Access 
Server. 

16. A method according to claim 15, wherein said RADIUS/LDAP client 
25 is connectable to said Remote Access Server via the Internet. 

17. A system for selectively connecting a data terminal to one of a plurality 
of VPNs, said VPNs being formed within a telecommunication network, the 
system comprising: 

30 a first data storage computer for storing (i) user identity information indicative 
of the identity of authorized users to one or more of said VPNs and (ii) VPN 
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authorisation information indicative of those VPNs that each authorized user 
is authorized to use, 

connection means for connecting said data terminal to the telecommunication 
network; 

5 retrieval means for sending a user identifier indicative of a selected authorized 
user to said first data storage computer and retrieving a list of VPNs 
accessible by the selected authorized user from the first data storage computer, 
said data terminal including 
display means for presenting said list of VPNs, and 

10 selection means for accepting the selection at said data terminal of one of said 
virtual private networks, the system further comprising 

authenticating means for authenticating the identity of said selected authorized 
user, 

said connection means acting to connect said data terminal to the selected 
15 VPN if the authentication is successful. 

18. A system according to claim 1 7, wherein 

said telecommunication network is a public telecommunications network, 
such as the Internet. 

20 

1 9. A system according to claim 1 8, wherein 

said data terminal is connected to the public telecommunications network with 
a public IP address, 

said connection means acting to change the IP address of the data terminal to 
25 an IP address with access to the selected VPN if the authentication is 
successful. 

20. A system according to claim 1 7, wherein 

said telecommunication network is a private telecommunications network. 

30 

21. A system according to claim 20, wherein 
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29. A system according to claim 25 when dependant upon claim 22, 
wherein a second data storage computer is connectable to said 
RADIUS/LDAP client, said second data storage computer acting as said 
RADIUS/LDAP server, both second data storage computer and said 
RADIUS/LDAP client being remotely connectable to said Remote Access 
Server. 

30. A system according to claim 29, wherein said RADIUS/LDAP client is 
connectable to said Remote Access Server via the Internet. 
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Figure 4 



WO 01/41392 



5/11 



PCT/SG00/00192 




Figure 5 
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Figure 6 
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Figure ? 
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Figure lo 
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Figure U 



